Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
11/07/2024, 22:05
General
-
Target
db5cac8b5183788ef7a2bff46c8a6944a279c57493815db08991a10f23e30ade.exe
-
Size
1.1MB
-
MD5
f998f7d326ec4cd553f8fdb36467848d
-
SHA1
739647976e0d44a04695a92053c7a786a3b0d5d2
-
SHA256
db5cac8b5183788ef7a2bff46c8a6944a279c57493815db08991a10f23e30ade
-
SHA512
640fd8a33902f581e83317b8fe75b320e9fe27e423acc11cf3399957f2bd2f4ecae29fb83e5387a86c3550d4dd648dae7f0ec54e1eb6098fa620b4ffc375bcba
-
SSDEEP
24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qf:CcaClSFlG4ZM7QzMI
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\db5cac8b5183788ef7a2bff46c8a6944a279c57493815db08991a10f23e30ade.exe"C:\Users\Admin\AppData\Local\Temp\db5cac8b5183788ef7a2bff46c8a6944a279c57493815db08991a10f23e30ade.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753B
MD5b6dd94c09456d05bce8a061bc88ee1d8
SHA107e2a5dff0e8285690f9f5e9968f19968966ee90
SHA2569e18433c74887e2acea3225b55efc7ae2d8a2abacb6cc9712cecf8ce55732519
SHA5120d6fdb013c542d3f0b08c4518b3ae9661a62e3f84826078c7f08c82470fc0dd2ffbb3678be55dc9bf7ad392131cc26738188c9bfccc6a05c4749849c81be3ef6
-
Filesize
1.1MB
MD55164320bc0239c598f1c9202fe05972a
SHA1dab58bf494f5daaa71af9c97918f028352ad63a5
SHA256e6055c2b1eadc842618cdcb5b48e6528e27e9877b78a348374821f586076b2f5
SHA5125578e03107bf3814847414e7211cb00846c70c1b8aeba7a0d060ad4c5125cc447962aee84b67577576402d8e53179d3f35b9246e7b29c3baeb1903e60ed73547
-
Filesize
1.3MB